Privacy Policy – Data Protection & GDPR Statement


We are Just Add Tech and we confirm that we will comply with the provisions of the General Data Protection Regulation (GDPR) when processing personal data about you and your family. The General Data Protection Regulation will have superseded the Data Protection Act 1998 (DPA) on the 25th May 2018.

For the purposes of the law and these principles, a ‘data controller’ is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. In relation to the majority of our data, we are data controllers, although where we are responsible for eg migrating a clients finance system, they are the data controller and we are ‘data processors’. A data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

We act as data processors for a number of clients (the data controllers) and do not expect to receive any data which is sensitive personal data in relation to this. We will:

  • only process the personal data provided in accordance with the data controller’s instructions and in accordance with our contract with them
  • implement technical and organisational measures in line with the GDPR to ensure the fair and lawful processing and the security of such data
  • not disclose the data or transfer it to any third party without the explicit permission of the data controller, unless we are legally obliged to do or it is permitted and authorised by the contract with the data controller
  • ensure that appropriate records are kept in order that we are able to demonstrate compliance with GDPR principles
  • comply with our obligations to notify the regulatory authorities of any data breach.

The person responsible for data protection under GDPR for Just Add Tech is Michael Da Silva.

We shall use appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. We shall not sub-contract any processing of personal data unless the sub-contractor has agreed that the personal data continues to be subject to an appropriate level of protection. To the extent we act as data processor for you, we shall only process personal data in accordance with your instructions.

We shall answer your reasonable enquiries to enable you to monitor compliance with this clause. We do not collect “sensitive personal data”.


Personal data we collect and process

The type of personal data that we process depending on the type of services we are engaged with you can be;

Mob / Tel No.
Email Address

The categories of the data subjects depending on what services we are engaged with you can be;
Company Directors and Decision Makers

If we are carrying out a finance system migration on your behalf we may have access to;
Employees of Client (Payroll Information).


How we use personal data

In order to carry out services of the agreed engagement between us and for related purposes such as updating and enhancing our client records, analysis for management purposes and crime prevention we may obtain, process, use and disclose personal data about you. You shall ensure that any disclosure of personal data to us complies with the GDPR.

Our policy is to collect only the personal data necessary for agreed purposes and we ask clients to only share personal data where it is strictly needed for those purposes. We collect personal data from our clients or from third parties acting on the instructions of the relevant client.

We process personal data to provide professional services such as system migrations,  systems consultancy as part of the range of services we offer. We also process personal data in the administration and management of our business.

We will only share personal data with others when we are legally permitted to do so.  When we share data with others, we put contractual arrangements and security mechanisms in place to protect your data. We use third parties located in other countries to help us run our business which are SaaS providers.  As a result, personal data may be transferred outside the countries where we and our clients are located.  This includes countries outside the European Union (“EU”). We ensure that all third party SaaS providers comply with the appropriate safeguards and EU data export restrictions when personal data is exported outside of the EU.

Your contact details are used to provide you with information about our services and other information which we think will be of interest to you or your business, unless you tell us not to.

We will never disclose any of your personal data to a third party.


How we collect and store personal data

We can collect your personal data in a variety of different ways. These can be via email communication, website contact form, hard copy of letters, access given from you to us on third party systems and telephone calls.

We take the security of your data we hold seriously.  We have a policy including procedures and training in place covering data protection, confidentiality and security and regularly review the appropriateness of the measures we have in place to keep the data we hold secure.

We use SaaS systems to store and process your personal data so that we can carry out the services of the agreed engagement. The SaaS systems that we use have the data stored securely by using industry-standard encryption which is the same technology that banks use to protect financial data.

Personal data may be transferred outside the countries where we and our clients are located.  This includes countries outside the European Union (“EU”). We ensure that all third-party SaaS providers comply with the appropriate safeguards and EU data export restrictions when personal data is exported outside of the EU.

At Just Add Tech, we take privacy and security very seriously. We have taken steps with our internal processes and procedures to ensure that your personal data is safe guarded and secure.

We do not store login credentials that have access to your personal data un-securely i.e using excel spreadsheets or on hard copies of paper. All login credentials are stored using an industry-standard encrypted password manager. This password manager is controlled by us and we can disable user accounts should we have to.

All of the computers at Just Add Tech Systems are regularly scanned for malware, viruses and spyware and security updates are regularly applied to all of the computers that we have in the office when they become available.


How long do we retain your personal data

We are subject to legal, regulatory and professional obligations.  We need to keep certain records to demonstrate that our services are provided in compliance with those obligations and those records may contain personal data.

Personal data processed is kept by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation).  In the absence of specific legal, regulatory or contractual requirements, our retention policy period for records and other documentary evidence created in the provision of services is 7 years.


How to access & control your personal data

You have the right to access your personal data and obtain confirmation that your data is being processed.

A copy of this information will be provided free of charge. If a request becomes manifestly unfounded, excessive or particularly repetitive then a fee will be charged. The fee will be based on the administrative cost for providing this information.

Information will be provided to you without delay and at the latest within one month of receipt. We will be able to extend the period of compliance by a further two months where requests are complex or numerous. In this case, you will be informed within one month of the receipt of the request and be given an explanation for the extension.

If a request becomes manifestly unfounded, excessive or particularly repetitive we do have the right to refuse to respond to this request. You will be informed with an explanation as to why your request was refused and you have the right to complain to the supervisory authority and to a judicial remedy.

We must verify the identity of the person making the request using “reasonable means”. We will provide information for your request electronically in a commonly used format if your request is made electronically.

You are entitled to have personal data rectified if it is inaccurate or incomplete. We will respond to this request within one month. This can be extended by two months where the request for rectification is complex.

You have the right to have your personal data erased unless there is a compelling reason for it to not be deleted. You have the right for your personal data to be erased in the circumstances below;

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
  • When the individual withdraws consent.
  • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
  • The personal data was unlawfully processed (ie otherwise in breach of the GDPR).
  • The personal data must be erased in order to comply with a legal obligation.
  • The personal data is processed in relation to the offer of information society services to a child.

We can refuse to comply with your request for erasure in the circumstances below;

  • to comply with a legal obligation or for the performance of a public interest task or exercise of official authority;
  • archiving purposes in the public interest, scientific research historical research or statistical purposes; or
  • the exercise or defence of legal claims.

You have the right to data portability. This will be provided by us free of charge and will be in a commonly used electronic format such as a CSV file.

The right to data portability only applies:

  • to personal data an individual has provided to a controller;
  • where the processing is based on the individual’s consent or for the performance of a contract; and
  • when processing is carried out by automated means.

If you do want to complain about our use of your personal data, please contact us below with the details of your complaint. You also have the right to register a complaint with the Information Commissioner’s Office (“ICO”).  For further information on your rights and how to complain to the ICO, please refer to their website.

To request access to personal data that we hold about you, or request that we update or correct any personal information we hold about you or want to complain about the use of your personal data then please do so in writing by emailing


Data breaches

The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. We will do this within 72 hours of becoming aware of the breach, where feasible.

If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we will also inform those individuals without undue delay.

We have breach detection and investigation procedures in place. This will facilitate decision-making about whether or not we would need to notify the relevant supervisory authority and the affected individuals. We will also keep a record of any personal data breaches, regardless of whether we are required to notify the relevant supervisory authority.



Communication between us is confidential and we shall take all reasonable steps to keep confidential your information except where we are required to disclose it by law, by regulatory bodies, by our insurers or as part of an external peer review. Unless we are authorised by you to disclose information on your behalf this undertaking will apply during and after this engagement.

We may, on occasions, subcontract work on your affairs to other professionals within the industry. The subcontractors will be bound by our client confidentiality terms.

We reserve the right, for the purpose of promotional activity, training or for other business purpose, to mention that you are a client. As stated above we will not disclose any confidential information.


Controller and processor terms

Duration of processing

We will process personal data in order to carry out services of the agreed engagement until we are instructed to stop, and a date of disengagement has been agreed.

what services we are engaged with you can be;
Company Directors and Decision Makers

If we are carrying out a finance system migration on your behalf we may have access to;
Employees of Client (Payroll Information).

Start typing and press Enter to search